Most recent users on your Mac, the “asl” directory, and permissions

May 13, 2014

If you want to find out who the most recent users on your Mac have been, there are ways to do that. Maybe you want to see if someone has been using your Mac. Or how many times you’ve logged in. Or, if it’s your employer’s Mac, who has been using it. You might also want to reliably know who the current user is. (Hint: “whoami” is unreliable, for if you’re in as sudo or root, it will report that, not the current console user.)

The typical way to scrape the current and most recent users list is the command “last -t console”. You will find many websites saying this is definitively the way to find this information, and that if you wanted to pore over that data manually, it’s in /var/log/wtmp.

Not so.

First, you will find that a non-admin user in OS X will get no output from the “last -t console” command.

And when you go poking around wtmp, you’ll find it empty.

You see, Apple moved away from using wtmp after Mac OS X 10.4. That was a while ago. But many websites claim to this day that it’s still in use.

Where did Apple move this information? To /var/log/asl. That’s a directory containing binary files with all the login information you are seeking.